mirror of https://github.com/CISOfy/lynis.git
plugin_krb5_phase1: Added few more tests
* Check that admin principals have disallow_tgt_based attribute * Check that regular user principals have requires_pre_auth and disallow_svr attributes * Check for weak crypto * Use kdb5_util for this
This commit is contained in:
parent
ac526be452
commit
4d5b41cb4e
|
@ -197,6 +197,7 @@
|
|||
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
|
||||
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
|
||||
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
|
||||
kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
|
||||
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
|
||||
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
|
||||
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
# PLUGIN_DESC=Kerberos
|
||||
# PLUGIN_NAME=krb5
|
||||
# PLUGIN_REQUIRED_TESTS=
|
||||
# PLUGIN_VERSION=0.1
|
||||
# PLUGIN_VERSION=0.2
|
||||
#-----------------------------------------------------
|
||||
#
|
||||
#########################################################################
|
||||
#
|
||||
|
||||
# Test for the prerequisites first
|
||||
if [ -n "${KADMINLOCALBINARY}" ]
|
||||
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
|
||||
then
|
||||
PREQS_MET="YES"
|
||||
# Make sure krb5 debugging doesn't mess up the output
|
||||
|
@ -106,10 +106,39 @@
|
|||
then
|
||||
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
|
||||
fi
|
||||
elif ContainsString "/admin@" "${I}"
|
||||
then
|
||||
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
|
||||
then
|
||||
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
|
||||
fi
|
||||
elif ContainsString "^[^/$]+@" "${I}"
|
||||
then
|
||||
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
|
||||
then
|
||||
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB5-0005
|
||||
# Description : Check for weak crypto
|
||||
Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
|
||||
while read I J
|
||||
do
|
||||
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
|
||||
done << EOF
|
||||
${FIND}
|
||||
EOF
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue